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A NEW KEY EXCHANGE PROTOCOL BASED ON THE 
DECOMPOSITION PROBLEM 

VLADIMIR SHPILRAIN AND ALEXANDER USHAKOV 


Abstract. In this paper we present a new key establishment protocol 
based on the decomposition problem in non-commutative groups which 
is: given two elements w, vj\ of the platform group G and two sub¬ 
groups A,B C G (not necessarily distinct), find elements a £ A, b £ B 
such that wi = awb. Here we introduce two new ideas that improve 
the security of key establishment protocols based on the decomposition 
problem. In particular, we conceal (i.e., do not publish explicitly) one 
of the subgroups A,B, thus introducing an additional computationally 
hard problem for the adversary, namely, finding the centralizer of a given 
finitely generated subgroup. 


1. Introduction 

In search of a more efficient and/or secure alternative to established cryp¬ 
tographic protocols (such as RSA), several authors have come up with 
public key establishment protocols as well as with complete public key 
cryptosystems based on allegedly hard search problems from combinatorial 
(semi)group theory, including the conjugacy search problem [T], IBj, the ho¬ 
momorphism search problem d, m, the decomposition search problem 
[31131171, the subgroup membership search problem Id- 

In this paper, we focus on the decomposition search problem which we 
subsequently call just the decomposition problem. The problem is: given 
two elements w, w\ of the platform group G and two subgroups A, B C G 
(not necessarily distinct), find elements a € A, b G B such that w\ = awb. 

It is straightforward to arrange a key establishment protocol based on 
this problem (see [3H3EE7]), assuming that ab = ba for any a £ A, b £ B: 

( 0 ) One of the parties (say, Alice) publishes a random element w £ G (the 
“base” element). 

( 1 ) Alice chooses 01,02 G A (Alice’s private keys) and sends 011002 to Bob. 

( 2 ) Bob chooses 61,62 G B (Bob’s private keys) and sends 611062 to Alice. 

( 3 ) Alice computes 

K a = 01611060262 

and Bob computes 

K b = 6101100262. 
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If aibi = then K a = K & in G. Thus Alice and Bob have a shared secret 
key. 

Security of such a protocol will, of course, depend on a particular platform 
group G (at the very least, G has to be non-commutative). It appears that 
for braid groups (which are a popular choice for the platform), the so-called 
length attacks present a serious threat, see e.g. behehei. 

In this paper, we introduce two new ideas that improve the security of 
key establishment protocols based on the decomposition problem: 

(i) We conceal one of the subgroups A, B. 

(ii) We make Alice choose her left private key ai from one of the subgroups 
A, B , and her right private key <22 from the other subgroup. Same for Bob. 

These two improvements together will obviously foil any length attacks. 
We give a complete description of our protocol in the following Section | 2 j 
here we just sketch the main idea. 

Let G be a group and g E G. Denote by Cc(g) the centralizer of g in G, 
i.e., the set of elements h £ G such that hg = gh. For S = {<71,..., <%.} C G, 
Cc(g \,..., gk) denotes the centralizer of S in G, which is the intersection of 
the centralizers Cc(gi). i = 1 

Now, given a public w £ G, Alice privately selects a\ £ G and publishes 
a subgroup B C G g (oi) (we explain why computing B is easy). Similarly, 
Bob privately selects 62 £ G and publishes a subgroup A C Cafo)- Alice 
then selects 02 £ A and sends w\ = aiu>a2 to Bob, while Bob selects b\ € B 
and sends W2 = b\wb2 to Alice. 

Thus, in the first transmission, say, the adversary faces the problem of 
finding <21,02 such that w\ = a\wa2, where <22 £ A, but there is no explicit 
indication of where to choose <21 from. Therefore, before arranging some¬ 
thing like a length attack in this case, the adversary would have to compute 
the centralizer Cg(B ) first (because <21 £ Cg(B)), which is usually a hard 
problem by itself. 


2 . The protocol 

In this section we give a formal description of our protocol, but first 
we introduce one more piece of notation. As it is common in public key 
exchange based on abstract groups, when transmitting an element g £ G 
of a group, one actually uses its normal form N(g) which is a sequence of 
symbols uniquely defined for a given g. A specific way of constructing such 
a sequence depends, of course, on a particular platform group G which we 
discuss in subsequent sections of our paper. 

Our protocol is the following sequence of steps. 

Protocol: 

(1) Alice chooses an element <21 £ G of length l, chooses a subgroup 
of C G (ai), and publishes its generators A = {cci,..., a^} (see the 
following subsection 12.11 for specifications). 
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(2) Bob chooses an element 62 6 G of length l, chooses a subgroup 
of Cg(& 2), and publishes its generators B = {/ 3 i,..., / 3 m } (see the 
following subsection 12.11 for specifications). 

( 3 ) Alice chooses a random element 02 from (/ 3 i,..., / 3 m ) and sends the 
normal form Pa = N(a\wa2) to Bob. 

( 4 ) Bob chooses a random element b\ from (ai ,... ,otk ) and sends the 
normal form Pb = N{b\wb2) to Alice. 

( 5 ) Alice computes Ka = «i-P b 02- 

( 6 ) Bob computes Kb = b\ Pa 62• 

Since a\b\ = b\a± and 0262 = 6202, we have I\ = Ka = Kb, the shared 
secret key. 

2 . 1 . Suggested values of parameters. We suggest to use the following 
values of parameters in the above protocol: G = B n , the group of braids on 
n strands (see our Section GJ; n = 64 ; l = 1024 . At Step ( 1 ) of the protocol 
Alice generates {a\,A) and at Step (2) Bob generates (62, B), both using 
the algorithm from [Jj for computing centralizers (actually, there is no need 
to compute the whole centralizer, just a couple of elements are sufficient). 

3 . Requirements on the platform group G 

In this section we discuss possible attacks on the protocol described in the 
previous section, and also put together some requirements on the platform 
group G. 

To break the protocol it is sufficient to find either Alice’s or Bob’s private 
key which may be accomplished as follows: 

Attack on Alice’s private key. Find an element a\ which com¬ 
mutes with every element of the subgroup (A) and an element 
a 2 G (B), such that Pa = N(a' 1 wa 2 ). The pair [a \, a 2 ) is equiv¬ 
alent to (01,02). (That means, a^wa^ = a\wa2, and therefore the 
pair (a \, a 2 ) can be used by the adversary to get the shared secret 
key.) 

Attack on Bob’s private key. Find an element b\ £ (A) and an 
element b 2 which commutes with every element of the subgroup {B), 
such that Pb = N{b\vjb 2 ). The pair {b \, b 2 ) is equivalent to (61,62). 

Consider the attack on Alice’s private key (the other one is similar). The 
most obvious way to carry out such an attack is the following: 

(Al) Compute the centralizer Cg(A). 

(A 2 ) Solve the search version of the membership problem in the double 
coset Cg(A) ■ w ■ (B) 

To make the protocol secure, we want both these problems to be com¬ 
putationally hard. For the problem (A 2 ) to be hard, it is necessary for the 
centralizer Cg(A) to be large. Otherwise, the adversary can use the “brute 
force” attack, i.e., enumerate all elements of Cq{A) and find candidates for 
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&2 (assuming that the decisional membership problem in the subgroup B is 
efficiently solvable). 

Thus the platform group G should satisfy at least the following properties 
in order for our key establishment protocol to be efficient and secure. 

(PI) G should be a non-commutative group of exponential growth. The 
latter means that the number of elements of length n in G is expo¬ 
nential in n; this is needed to prevent attacks by complete exhaustion 
of the key space. 

(P 2 ) There should be an efficiently computable normal form for elements 
of G. 

(P 3 ) It should be computationally easy to perform group operations (mul¬ 
tiplication and inversion) on normal forms. 

(P 4 ) It should be computationally easy to generate pairs (a, {ai,.... a;,. }) 
such that aat = cua for each i = 1 ,,k. (Clearly, in this case the 
subgroup generated by a ±,..., a k centralizes a). 

(P 5 ) For a generic set {<71,... ,g k } of elements of G it should be difficult 
to compute 

C(gi,...,g n ) = C(g 1 )r...r\C(g k ). 

(P6) Even if H = C(g\,.... g n ) is computed, it should be hard to find 
x £ H and y £ H 1 (where H 1 is some fixed subgroup given by a 
generating set) such that xwy = w', i.e., to solve the membership 
search problem for a double coset. 

4 . Braid groups 

In this section we consider a particular class of groups, namely braid 
groups, which were a popular choice for the platform of various crypto¬ 
graphic protocols in the last 6-7 years, starting with the seminal paper [T]. 

Let B n be the group of braids on n strands and X n = {x ±,..., x n -\ } the 
set of standard generators. Thus, 

B n = (xi,... ,x n -i■ XiX i+ iXi = x i+ iXiXi +1 , XiXj = XjXi for \i - j\ > 1 ). 

For more information on braid groups, we refer to the monographs f 2 _, 
fB]; here we address the properties (P 1 )-(P 6 ) from the previous section. 

(PI) Braid groups B n are non-commutative groups of exponential growth 
if n > 3 . 

(P 2 ) There are several known normal forms for elements of B n , including 
Garside normal form (see [ 2 j) and Birman-Ko-Lee normal form pj. 
Both of these forms are efficiently computable (in quadratic time 
with respect to the length of a given element). 

(P 3 ) There are quadratic time algorithms to multiply or invert normal 
forms of elements of B n . 

(P 4 ) It is not so easy to compute the whole centralizer of an element g 
of G (cf. jTT]L The number of steps required to compute Cc{g) 
is proportional to |S'S'S'(g)|, the size of the “super summit set” of 
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g , which is typically huge. Nevertheless, there are approaches to 
finding “large parts” of Cc(g), e.g. one can generate a sufficiently 
large part of SSS(g) and pick several elements from there, see m 
for more details. 

(P 5 ) For a generic subgroup A it is hard to compute Cg{A). The com¬ 
plexity of such computation is proportional to | 5 S'(yl)|, the size of 
the summit set of A (see jjj), which is typically huge. 

(P6) There is no known solution to the membership search problem for 
double cosets H • w • H' in braid groups. This problem, in theory, 
appears to be much more complicated (for generic subgroups H and 
H') than the conjugacy search problem. 

5 . Semantic security 

In this section, we discuss semantic security of a cryptosystem that would 
be based on a shared key obtained in our protocol. Semantic security is the 
standard notion of security for encryption protocols, see m- 

Security of the protocol described in our Section Q is based on the as¬ 
sumption that the following problem is computationally hard: 

Given the public information w, Pa, and Pb it is hard to 
compute the shared key K. 

This assumption is the computational assumption of the protocol. The 
stronger decisional version of this assumption would be: 

Given w, Pa, and Pb, it is hard to distinguish the shared 
key K from a random element of the form awb. 

We should point out that without this decisional assumption, it may 
still be possible to design a semantically secure encryption protocol in the 
“random oracle model” the same way it was done in DU Section 3 . 3 ], namely, 
by employing a hash function H : B n —> { 0 , l} fc from the braid group to 
the message space. Still, it would be quite interesting to find out whether 
or not the shared key K obtained in our key establishment protocol can be 
directly used for semantically secure encryption. 

The decisional assumption above appears to be wrong for most choices 
of vj,Pa and Pb because of the following consideration. Since Pa = a\wa2, 
we have a\ = PAaf 1 w ~ 1 . Therefore, K = a±biiub2a2 = Pacl ^ 1 {w~ l Ps)a2- 
Hence, K is a product of a public element Pa and a public element w~ 1 Pb 
conjugated by an element from a subgroup {( 5 \/ 3 k}- 

It seems plausible that, for some choices of the keys, elements of this 
type can be distinguished from random elements of the form awb along the 
same lines it was done in | 2 | (in a different, but similar context). Indeed, if 
w _ 1 Pb is not a pure braid, then it projects to a non-trivial permutation, call 
it pb, under the natural homomorphism n from the braid group B n onto the 
symmetric group S n . Then the conjugate permutation vr(a2) _1 /0svr(a2) has 
the same cyclic structure as ps does, and this gives away some information 
about the permutation tt(K) = 7 r(P 4 ) 7 r(a 2 )~ 1 / 0 B 7r ( a 2 ); for example, from 
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knowing it {Pa) and the cyclic structure of ir{a2)~ 1 pB'E{ct2), one can get 
information about possible order of the permutation n{K). 

If both Pa and w~ 1 Pb are pure braids, then it is possible to use other 
homomorphisms (e.g. pulling out a strand) to obtain some partial informa¬ 
tion; see P for details. If w~ 1 Pb is a pure braid but Pa is not, then, again, 
the homomorphism 7r reveals partial information about the shared key K. 
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